TLS origin configuration messages

When you are connecting to origins over TLS, you may have errors.

Hostname mismatches

• Error: Hostname mismatch

Why the error appears

Your origin server is serving a TLS certificate with a Common Name (CN) or list of Subject Alternate Names (SAN) that does not match the origin host or the origin's SSL hostname setting.

How to fix it

You can fix this by telling Fastly what to match against in the CN or SAN field in your origin's certificate.

1. Log in to the Fastly web interface.
2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
3. Click Edit configuration and then select the option to clone the active version.
4. Click Origins.
5. Click the pencil to edit the affected host.
6. In the Certificate Hostname field, enter the hostname associated with your TLS certificate. This value is matched against the certificate common name (CN) or a subject alternate name (SAN) depending on the certificate you were issued. For example, if your certificate's CN field is www.example.com, enter that value for your hostname.
7. Click Update.
8. Click Activate to deploy your configuration changes.

When using custom VCL, you can specify the hostname to match against the certificate by using the .ssl_cert_hostname field of your origin's definition. For example: .ssl_cert_hostname = www.example.com;.

Certificate chain mismatches

• Error: unable to verify the first certificate
• Error: self signed certificate
• Error: unable to get local issuer certificate
• Error: self signed certificate in certificate chain
• Error: unable to get issuer certificate

Why the errors appear

Your origin server is serving a certificate chain that can not be validated using any of the certification authorities (CAs) that Fastly knows. This can happen for two reasons:

• Your certificate is self-signed or self-issued and you did not provide your generated CA certificate to Fastly for us to use for verification.
• Your certificate is issued by a CA that isn't in Fastly's CA certificates bundle.

How to fix them

In both cases, you can fix your configuration by adding the CA certificate that Fastly should use to verify the certificate to your service configuration:

1. Log in to the Fastly web interface.
2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
3. Click Edit configuration and then select the option to clone the active version.
4. Click Origins.
5. Click the pencil to edit the affected host.
6. In the TLS CA certificate field, copy and paste a PEM-formatted CA certificate.
7. Click Update.
8. Click Activate to deploy your configuration changes.

If you are using custom VCL, you can specify the CA for Fastly to use by setting the .ssl_ca_cert backend parameter to a PEM encoded CA certificate.

Alternatively, you can get a new certificate issued by a CA in Fastly's CA certificate bundle (e.g., Globalsign).

Connection failures

• Error: Gethostbyname
• Error: Connection timeout
• Error: Connection refused

Why each error appears and how to fix it

For Gethostbyname failures, the configured backend Host domain is returning NXDOMAIN. Double check that the DNS settings for your backend are correct.

For Connection time out failures, the connection to your server is timing out. Double check that your backend is accessible and responding in a timely fashion.

For Connection refused failures, the connection to your server is being refused, potentially by a firewall or network ACL. Double check that you have allowlisted the Fastly IP addresses and that your backend is accessible from our network.

Certificate expirations

Error: Certificate has expired

Why the error appears

The certificate your backend server is presenting Fastly has expired and needs to be reissued with an updated validity period.

How to fix it

If this is a self-signed certificate you can perform this update on your own by issuing a new CSR with your private key, creating the corresponding certificate, and installing it on the server.

If this is a CA signed certificate you will need to issue a new CSR with your private key, submit it to your CA, and install the signed certificate they provide you.

SSL and old TLS protocol errors

• Error: Unknown protocol
• Error: SSL handshake failure
• Error: TLSv1 alert internal error

Why the errors appear

Either your origin server is not configured to use TLS or it only supports older, outdated versions of the protocol. We do not support SSLv2 or SSLv3.

How to fix them

If the origin server is configured to use TLS, use the following information to troubleshoot the problem:

• Make sure your server software is up to date and running a recent version of the TLS libraries for your platform or operating system. You may have to explicitly enable a newer protocol version. Fastly supports TLS 1.3, 1.2, 1.1, and 1.0.

• Confirm that you can connect to your origin. For example, if you're using TLS 1.3, enter a command like:

  $ echo Q | openssl s_client -connect ${IP}:443 -tls1_3

  To test other versions of TLS, you can replace -tls1_3 with tls1_2, -tls1_1, or -tls1_0. If the TLS handshake is successful, you should see output showing the certificate, the subject, the issuer, and additional diagnostic information.

• Use sslscan to list the TLS protocols and ciphers supported by the TLS server.

If the origin server is not configured to use TLS, change your service configuration to disable TLS and communicate with it on port 80 instead of port 443:

1. Log in to the Fastly web interface.
2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
3. Click Edit configuration and then select the option to clone the active version.
4. Click Origins.
5. Click the pencil to edit the affected host.
6. From the Connect to backend using TLS menu, select No.
7. Click Update.
8. Click Activate to deploy your configuration changes.

RC4 cipher error

• Error: Using RC4 Cipher

Why the error appears

When Fastly connects to your origin server using TLS, the only cipher suite your server supports for establishing a connection is the RC4 cipher. This cipher is considered to be unsafe for general use and should be deprecated.

How to fix it

You can fix this on your origin by using the latest version of both the server and the TLS library (e.g., OpenSSL) and ensuring the cipher suites offered are tuned to best practices. You may need to explicitly blocklist the RC4 cipher.